From da59af22f44e807e63e019aea3903457b0ef7651 Mon Sep 17 00:00:00 2001 From: Nicolas Iooss Date: Tue, 27 Dec 2016 14:45:21 +0100 Subject: [PATCH] systemd: add systemd-binfmt policy This systemd service registers in /proc/sys/fs/binfmt_misc binary formats for executables. Signed-off-by: Nicolas Iooss --- policy/modules/system/systemd.fc | 1 + policy/modules/system/systemd.te | 15 +++++++++++++++ 2 files changed, 16 insertions(+) diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index 673bb6852..d66fedace 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -29,6 +29,7 @@ /usr/lib/systemd/system/[^/]*sleep.* -- gen_context(system_u:object_r:power_unit_t,s0) /usr/lib/systemd/system/[^/]*suspend.* -- gen_context(system_u:object_r:power_unit_t,s0) /usr/lib/systemd/system/systemd-backlight.* -- gen_context(system_u:object_r:systemd_backlight_unit_t,s0) +/usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0) /var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0) /var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index c50e93a2e..cf22ba89e 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -36,6 +36,9 @@ type systemd_binfmt_t; type systemd_binfmt_exec_t; init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t) +type systemd_binfmt_unit_t; +init_unit_file(systemd_binfmt_unit_t) + type systemd_cgroups_t; type systemd_cgroups_exec_t; domain_type(systemd_cgroups_t) @@ -162,6 +165,18 @@ files_read_etc_files(systemd_backlight_t) udev_read_pid_files(systemd_backlight_t) +####################################### +# +# Binfmt local policy +# + +systemd_log_parse_environment(systemd_binfmt_t) + +# Allow to read /etc/binfmt.d/ files +files_read_etc_files(systemd_binfmt_t) + +fs_register_binary_executable_type(systemd_binfmt_t) + ###################################### # # Cgroups local policy